-
-
[求助]关于VirtualQueryEx枚举地址信息不准确
-
发表于: 2011-5-8 20:58
-
这几天在做一个内存扫描器,用VC做个复杂的扫描器真不容易呀碰到了很多问题大家帮帮忙
现在主要的问题是 利用 MEMORY_BASIC_INFORMATION 输出的信息判断的问题
MEMORY_BASIC_INFORMATION mbInfo;
if (ReadMemType == 6)//基地址
{
SegLen=VirtualQueryEx(pHandle,MemBaseStart,&mbInfo,BaseInfoLen);
if ((mbInfo.RegionSize>4096
&&mbInfo.State==MEM_COMMIT
&&mbInfo.Type==MEM_IMAGE
&&mbInfo.Protect==PAGE_READWRITE //4
&&mbInfo.AllocationProtect==PAGE_EXECUTE_WRITECOPY
)
||
(mbInfo.RegionSize>4096
&&mbInfo.State==MEM_COMMIT
&&mbInfo.Type==MEM_IMAGE
&&mbInfo.Protect==PAGE_WRITECOPY //8
&&mbInfo.AllocationProtect==PAGE_EXECUTE_WRITECOPY
)
||
(mbInfo.RegionSize>4096
&&mbInfo.State==MEM_COMMIT
&&mbInfo.Type==MEM_IMAGE
&&mbInfo.Protect==PAGE_EXECUTE_READ //32
&&mbInfo.AllocationProtect==PAGE_EXECUTE_WRITECOPY
)
||
(mbInfo.RegionSize>4096
&&mbInfo.State==MEM_COMMIT
&&mbInfo.Type==MEM_IMAGE
&&mbInfo.Protect==PAGE_EXECUTE_READWRITE //64
&&mbInfo.AllocationProtect==PAGE_EXECUTE_WRITECOPY
))
{
PUCHAR Seg = (PUCHAR)malloc(mbInfo.RegionSize);
SIZE_T ReadLen;
ReadProcessMemory(pHandle,mbInfo.BaseAddress,Seg,mbInfo.RegionSize,&ReadLen);
if (PValue == NULL && fValue != NULL)
{
SearchValue(SearchType,true,false,Seg,NULL,fValue,NULL,mbInfo,ReadLen);
}
else if (PValue == NULL && fValue == NULL && dValue != NULL)
{
SearchValue(SearchType,true,false,Seg,NULL,NULL,dValue,mbInfo,ReadLen);
}
else
{
SearchValue(SearchType,true,false,Seg,PValue,NULL,NULL,mbInfo,ReadLen);
}
free(Seg);
MemBaseStart=(LPVOID)((char*)MemBaseStart+mbInfo.RegionSize);
}
else
{
MemBaseStart=(LPVOID)((char*)MemBaseStart+mbInfo.RegionSize);
}
double iPos = (double)(DWORD)MemBaseStart * 100 / (double)(DWORD)MemBaseEnd;
m_Progress1.SetPos((int)iPos);
}
这是我其中一段程序的代码片段 ,太长了没法贴全部
现在主要的问题是 判断 mbInfo.RegionSize>4096 或 != 但是枚举出来的地址 还是有 区域大小为4096的地址,而且不少,反复看了下代码好像没问题,把每个判断分段来还是跟上述问题一样,
是我的判断有问题还是别的地方有毛病,希望大家帮帮忙...
现在主要的问题是 利用 MEMORY_BASIC_INFORMATION 输出的信息判断的问题
MEMORY_BASIC_INFORMATION mbInfo;
if (ReadMemType == 6)//基地址
{
SegLen=VirtualQueryEx(pHandle,MemBaseStart,&mbInfo,BaseInfoLen);
if ((mbInfo.RegionSize>4096
&&mbInfo.State==MEM_COMMIT
&&mbInfo.Type==MEM_IMAGE
&&mbInfo.Protect==PAGE_READWRITE //4
&&mbInfo.AllocationProtect==PAGE_EXECUTE_WRITECOPY
)
||
(mbInfo.RegionSize>4096
&&mbInfo.State==MEM_COMMIT
&&mbInfo.Type==MEM_IMAGE
&&mbInfo.Protect==PAGE_WRITECOPY //8
&&mbInfo.AllocationProtect==PAGE_EXECUTE_WRITECOPY
)
||
(mbInfo.RegionSize>4096
&&mbInfo.State==MEM_COMMIT
&&mbInfo.Type==MEM_IMAGE
&&mbInfo.Protect==PAGE_EXECUTE_READ //32
&&mbInfo.AllocationProtect==PAGE_EXECUTE_WRITECOPY
)
||
(mbInfo.RegionSize>4096
&&mbInfo.State==MEM_COMMIT
&&mbInfo.Type==MEM_IMAGE
&&mbInfo.Protect==PAGE_EXECUTE_READWRITE //64
&&mbInfo.AllocationProtect==PAGE_EXECUTE_WRITECOPY
))
{
PUCHAR Seg = (PUCHAR)malloc(mbInfo.RegionSize);
SIZE_T ReadLen;
ReadProcessMemory(pHandle,mbInfo.BaseAddress,Seg,mbInfo.RegionSize,&ReadLen);
if (PValue == NULL && fValue != NULL)
{
SearchValue(SearchType,true,false,Seg,NULL,fValue,NULL,mbInfo,ReadLen);
}
else if (PValue == NULL && fValue == NULL && dValue != NULL)
{
SearchValue(SearchType,true,false,Seg,NULL,NULL,dValue,mbInfo,ReadLen);
}
else
{
SearchValue(SearchType,true,false,Seg,PValue,NULL,NULL,mbInfo,ReadLen);
}
free(Seg);
MemBaseStart=(LPVOID)((char*)MemBaseStart+mbInfo.RegionSize);
}
else
{
MemBaseStart=(LPVOID)((char*)MemBaseStart+mbInfo.RegionSize);
}
double iPos = (double)(DWORD)MemBaseStart * 100 / (double)(DWORD)MemBaseEnd;
m_Progress1.SetPos((int)iPos);
}
这是我其中一段程序的代码片段 ,太长了没法贴全部
现在主要的问题是 判断 mbInfo.RegionSize>4096 或 != 但是枚举出来的地址 还是有 区域大小为4096的地址,而且不少,反复看了下代码好像没问题,把每个判断分段来还是跟上述问题一样,
是我的判断有问题还是别的地方有毛病,希望大家帮帮忙...
